Federated Identity Management

Federated Identity Management aims at offering users access to services based on an account at their home-organization (identity provider). In doing so, the services and the identity provider do not have to be affiliated with the same organization. In particular, the fact that users just have to keep track of the credentials for one account constitutes a major advantage of the concept. Furthermore, the services profit from both the raised quality of identity information and the better level of security that arises from the fact that users are not tempted to reuse their passwords for accounts at multiple service providers.

The Security Assertion Markup Language (SAML) constitutes a widely used standard for Federated Identity Management. In the context of the bwIDM project, a SAML federation consisting of the universities of the state of Baden-Württemberg will be established. The FACIUS concept enables federating non web-based services based on the SAML standard that is otherwise focussed on web-based services.

In the years 2005 up to 2009 the foundation for an integrated information management at KIT was created by the project “Karlsruhe Integrated Information Management (KIM)” with the associated subprojects “management of courses, examinations and study assistance (LPS)” and “identity management (IDM)”. The results of these projects led to services accessible through the portals “studium.kit.edu” and “intra.kit.edu”. Furthermore, the provisioning of all KIT employees and students on the basis of their associated KIT accounts do not only provide innovative IT services and facilitation but contribute also substantially to joining the people of the university and the large-scale research sector. By the project KIM‐IT4INT the technical integration of further important services and resources for the entire KIT as well as related operation processes in cooperation with central and decentralised institutions shall be promoted so that the merging of KIT will be supported by IT. Thus, the goal is to enhance the capability of the individual and the institution as well as to increase the satisfaction of the employees and students by the support of a federatively organised and operated integrated KIT information management.

The bwIDM project

The aim of the bwIDM project (https://www.bwidm.de) is to enable users to seamlessly access distributed resources and services based on a local context. More specifically the users should have the ability to use their account at their university to access services of a different university.

In particular, the features of the bwIDM project are:

- Less efforts for users to access services: Users should no longer be required to apply for service-specific accounts and initial hurdles should be reduced.

- Minimally invasiveness of the bwIDM concept: In order to keep the adaption overhead low for the participating universities, the bwIDM concept should be as minimally invasive as possible. As the SAML framework Shibboleth is widely used in Baden-Württemberg, it constitutes a key technology concerning bwIDM. Shibboleth identity providers are already operationally used to federate access to web-based services.

- Federating non web-based services: One of the main challenges of bwIDM remains in federating non web-based services using the existing Shibboleth infrastructure. For instance, to access services like bwGrid or bwUniCluster an SSH-Client is needed instead of a web browser. In this context, the FACIUS concept has a paramount role.

The FACIUS concept

The Security Assertion Markup Language (SAML) is widely used to federate web-based services in the academia. To federate non web-based services based on existing SAML federations, the FACIUS concept has been developed in the scope of the bwIDM project. In particular, the FACIUS approach aims to fulfil the following requirements:

- Minimized effort to federate existing service deployments: To federate an existing service based on the FACIUS concept, no modified service access point is necessary. The authorization decision is made within a Pluggable Authentication Module, which can be configured to be used by the service in many cases (e.g., OpenSSH).

- User friendliness: FACIUS enables users to access services with their familiar, unmodified service clients if the service provider is trusted. To facilitate access to non-trusted service providers, a modified client that does not convey the user's credentials to the service provider can be used optionally.

- Preservation of SAML identity providers: In order to make use of FACIUS, no modifications to SAML identity providers are necessary. Identity providers that already participate in a SAML federation can thus offer their users access to non web-based services without potentially affecting other services.

- Adherence of legal aspects: FACIUS enables service and identity providers to request the users consent to certain policies and to the release of identity information to third parties.